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CLAIMS 

1 1. A method for checking a model, which defines states 

2 of a system under study and a transition relation among 

3 the states, the method comprising: 

4 specifying a path to be traversed through the states 

5 of the system under study from an initial set that 

6 comprises at least one initial state among the states of 

7 the system to a target set that comprises at least one 

8 target state among the states of the system, such that a 

9 specified sequence of events is to occur on the specified 

10 path between the at least one initial state and the at 

11 least one target state; 

12 beginning from the initial set, computing successive 

13 reachable sets comprising the states of the system that 

14 are reachable from the initial set along the specified 

15 path, such that in the successive reachable sets the 

16 events occur in the specified sequence; 

17 determining whether an intersection exists between 

18 one of the reachable sets on the specified path and the 

19 target set; and 

2 0 when the intersection is not found to exist, 

21 producing a partial trace along the specified path 

22 between the at least one initial state and a termination 

23 state in which at least one of the specified events 

24 occurs. 

1 2. A method according to claim 1, wherein specifying 

2 the path comprises defining the events in terms of 

3 transitions among the states of the system under study. 

1 3. A method according to claim 2, wherein defining the 

2 events comprises defining the transitions such that in 

3 the sequence of events, at least two consecutive 
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4 transitions are separated by more than one cycle of the 

5 transition relation. 

1 4. A method according to claim 2, wherein computing the 

2 successive reachable sets comprises building a 

3 non-deterministic automaton based on the transitions, and 

4 computing the reachable sets using the automaton. 

1 5. A method according to claim 4, wherein building the 

2 non-deterministic automaton comprises defining Boolean 

3 conditions corresponding respectively to the transitions, 

4 and wherein detecting the occurrence of the events 

5 comprises testing the Boolean conditions. 

1 6. A method according to claim 1, wherein computing the 

2 successive reachable sets comprises detecting occurrence 

3 of the events in the sequence. 

1 7. A method according to claim 6, and comprising 

2 informing a user upon detecting occurrence of the events. 

1 8. A method according to claim 6, wherein producing the 

2 partial trace comprises choosing the termination state to 

3 be one of the states in which a final event occurs in the 

4 sequence of the events whose occurrence has been 

5 detected. 

1 9. A method according to claim 1, wherein computing the 

2 successive reachable sets comprises: 

3 determining a first set among the reachable sets, 

4 disjoint from the initial set, such that all of the 

5 states in the first set are reached from the initial 

6 states in a first cycle of the transition relation; and 

7 determining the successive reachable sets, following 

8 the first set, such that all the states in each of the 

9 sets are reached from the states in the preceding set in 
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10 a successive cycle of the transition relation, and so 

11 that each of the sets is disjoint from the initial set 

12 and from the other sets determined before it. 

1 10. A method according to claim 9, wherein producing the 

2 partial trace comprises selecting one of the states from 

3 each of at least some of the successive reachable sets. 

1 11. A method according to claim 10, wherein selecting 

2 the one of the states comprises, for each of the selected 
H= 3 states, choosing a predecessor state among the states in 
f=j 4 the preceding set until the state on the trace in the 
J; 5 first set is found, and choosing the predecessor state in 
ffj 6 the initial set to the state in the first set. 

jz 1 12 . A method according to claim 1, and comprising, when 

m 2 it is determined that the intersection exists between the 

M> 3 target set and one of the reachable sets, producing a 

[T 4 complete trace from the at least one target state through 

O 5 the states in the reachable sets to the at least one 

! - 6 initial state. 

1 13. A method according to claim 12, wherein producing 

2 the complete trace comprises computing the trace so that 

3 all the events occur along the trace in the specified 

4 sequence . 

1 14. A method according to claim 1, wherein specifying 

2 the path comprises specifying a property to be fulfilled 

3 by the at last one target state. 

1 15. A method according to claim 14, wherein specifying 

2 the property comprises specifying a condition that is 

3 expected to be true over all of the reachable states of 

4 the system under study, and wherein the condition is 

5 false in the at least one target state. 
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1 16. A method according to claim 14, wherein specifying 

2 the property comprises specifying a condition 

3 representing a desired behavior of the system under 

4 study, such that the condition is fulfilled in the at 

5 least one target state. 

1 17. A method according to claim 14, wherein computing 

2 the successive reachable sets comprises testing the 

3 property while computing the sets, and ceasing to compute 

4 the sets when the intersection is found to exist. 

y 1 18. Model checking apparatus, comprising a model 

nj 2 processor, which is arranged to receive a model that 

= 3 defines states of a system under study and a transition 

JJ 4 relation among the states, and to receive a specification 

JL 5 of a path to be traversed through the states of the 

jM= 6 system under study from an initial set that comprises at 

f? 7 least one initial state among the states of the system to 

O 8 a target set that comprises at least one target state 

til 

9 among the states of the system, such that a specified 

10 sequence of events is to occur on the path between the at 

11 least one initial state and the at least one target 

12 state, the processor being further arranged to compute, 

13 beginning from the initial set, successive reachable sets 

14 comprising the states of the system that are reachable 

15 from the initial set along the path, such that in the 

16 successive reachable sets the events occur in the 

17 specified sequence, and to determine whether an 

18 intersection exists between one of the reachable sets on 

19 the path and the target set, and when the intersection is 
2 0 not found to exist, to produce a partial trace along the 
21 specified path between the at least one initial state and 
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22 a termination state in which at least one of the 

23 specified events occurs. 

1 19. Apparatus according to claim 18, wherein the 

2 specification of the path comprises a definition of the 

3 events in terms of transitions among the states of the 

4 system under study. 

1 20. Apparatus according to claim 19, wherein the events 

2 are defined in terms of the transitions such that in the 

3 sequence of events, at least two consecutive transitions 

4 are separated by more than one cycle of the transition 

5 relation. 

1 21. Apparatus according to claim 19, wherein the 

2 processor is arranged to build a non-deterministic 

3 automaton based on the transitions, and to compute the 

4 reachable sets using the automaton. 

1 22. Apparatus according to claim 21, wherein the 

2 processor is arranged to determine Boolean conditions 

3 corresponding respectively to the transitions, and to 

4 detect the occurrence of the events comprises testing the 

5 Boolean conditions . 

1 23. Apparatus according to claim 18, wherein the 

2 processor is arranged to detect occurrence of the events 

3 in the sequence while computing the successive reachable 

4 sets. 

1 24. Apparatus according to claim 23, wherein the 

2 processor is arranged to inform a user upon detecting 

3 occurrence of the events . 

1 25. Apparatus according to claim 23, wherein to produce 

2 the partial trace, the processor is arranged to choose 

3 the termination state to be one of the states in which a 
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4 final event occurs in the sequence of the events whose 

5 occurrence has been detected. 

1 26. Apparatus according to claim 18, wherein the 

2 processor is arranged to compute the successive reachable 

3 sets by determining a first set among the reachable sets, 

4 disjoint from the initial set, such that all of the 

5 states in the first set are reached from the initial 

6 states in a first cycle of the transition relation, 

7 followed by determining the successive reachable sets, 
p 8 following the first set, such that all the states in each 
M 9 of the sets are reached from the states in the preceding 
jfljlO set in a successive cycle of the transition relation, and 
: ;;11 so that each of the sets is disjoint from the initial set 
£12 and from the other sets determined before it. 

O 1 27. Apparatus according to claim 26, wherein the 

!~7 2 processor is arranged to produce the partial trace by 

y> 3 selecting one of the states from each of at least some of 

% 4 the successive reachable sets. 

m 

1 28. Apparatus according to claim 27, wherein the 

2 processor is arranged to select the states from each of 

3 the at least some of the successive sets by choosing, for 

4 each of the states, a predecessor state among the states 

5 in the preceding set until the state on the trace in the 

6 first set is found, and choosing the predecessor state in 

7 the initial set to the state in the first set. 

1 29. Apparatus according to claim 18, and wherein the 

2 processor is further arranged, upon determining that the 

3 intersection exists between the target sets and one of 

4 the reachable sets, to produce a complete trace from the 
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5 at least one target state through the states in the 

6 reachable sets to the at least one initial state. 

1 30. Apparatus according to claim 29, wherein the 

2 processor is arranged to produce the complete trace so 

3 that all the events occur along the trace in the 

4 specified sequence. 

1 31. Apparatus according to claim 18, wherein the path 

2 specification comprises a property to be fulfilled by the 

3 at last one target state. 

1 32. Apparatus according to claim 31, wherein the 

2 property comprises a condition that is expected to be 

3 true over all of the reachable states of the system under 

4 study, and wherein the condition is false in the at least 

5 one target state. 

1 33. Apparatus according to claim 31, wherein the 

2 property comprises a condition representing a desired 

3 behavior of the system under study, such that the 

4 condition is fulfilled in the at least one target state. 

1 34. Apparatus according to claim 31, wherein the 

2 processor is arranged to test the property while 

3 computing the successive reachable sets, and to cease to 

4 compute the sets when the intersection is found to exist. 

1 35. A computer software product, comprising a 

2 computer -readable medium in which program instructions 

3 are stored, which instructions, when read by a computer, 

4 cause the computer to receive a model that defines states 

5 of a system under study and a transition relation among 

6 the states, and to receive a specification of a path to 

7 be traversed through the states of the system under study 

8 from an initial set that comprises at least one initial 
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9 state among the states of the system to a target set that 

10 comprises at least one target state among the states of 

11 the system, such that a specified sequence of events is 

12 to occur on the path between the at least one initial 

13 state and the at least one target state, and which cause 

14 the computer to compute, beginning from the initial set, 

15 successive reachable sets comprising the states of the 

16 system that are reachable from the initial set along the 

17 path, such that in the successive reachable sets the 

18 events occur in the specified sequence, and to determine 

19 whether an intersection exists between one of the 
2 0 reachable sets on the path and the target set, and when 

21 the intersection is not found to exist, to produce a 

22 partial trace along the specified path between the at 

23 least one initial state and a termination state in which 

24 at least one of the specified events occurs.. 

1 36. A product according to claim 35, wherein the 

2 specification of the path comprises a definition of the 

3 events in terms of transitions among the states of the 

4 system under study. 

1 37. A product according to claim 36, wherein the events 

2 are defined in terms of the transitions such that in the 

3 sequence of events, at least two consecutive transitions 

4 are separated by more than one cycle of the transition 

5 relation. 

1 38. A product according to claim 36, wherein the 

2 instructions cause the computer to build a 

3 non-deterministic automaton based on the transitions, and 

4 to compute the reachable sets using the automaton. 
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1 39. A product according to claim 38, wherein the 

2 instructions cause the computer to determine Boolean 

3 conditions corresponding respectively to the transitions, 

4 and to detect the occurrence of the events comprises 

5 testing the Boolean conditions. 

1 40. A product according to claim 35, wherein the 

2 instructions cause the computer to detect occurrence of 

3 the events in the sequence while computing the successive 

4 reachable sets. 

4 S 1 41. A product according to claim 40, wherein the 

fU 2 instructions cause the computer to inform a user upon 

3 detecting occurrence of the events. 

J* 1 42. A product according to claim 40, wherein the 

O 2 instructions cause the computer to produce the partial 

3 trace by choosing the termination state to be one of the 

^ 4 states in which a final event occurs in the sequence of 

rl 

nj 5 the events whose occurrence has been detected. 

1 43 . A product according to claim 35, wherein the 

2 instructions cause the computer to compute the successive 

3 reachable sets by determining a first set among the 

4 reachable sets, disjoint from the initial set, such that 

5 all of the states in the first set are reached from the 

6 initial states in a first cycle of the transition 

7 relation, followed by determining the successive 

8 reachable sets, following the first set, such that all 

9 the states in each of the sets are reached from the 

10 states in the preceding set in a successive cycle of the 

11 transition relation, and so that each of the sets is 

12 disjoint from the initial set and from the other sets 

13 determined before it. 
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1 44. A product according to claim 43, wherein the 

2 instructions cause the computer to produce the partial 

3 trace by selecting one of the states from each of at 

4 least some of the successive reachable sets. 

1 45. A product according to claim 44, wherein the 

2 instructions cause the computer to select the states from 

3 each of the at least some of the successive sets by 

4 choosing, for each of the states, a predecessor state 

5 among the states in the preceding set until the state on 

6 the trace in the first set is found, and choosing the 

7 predecessor state in the initial set to the state in the 

8 first set. 

1 46. A product according to claim 35, and wherein the 

2 instructions further cause the computer, upon determining 

3 that the intersection exists between the target sets and 

4 one of the reachable sets, to produce a complete trace 

5 from the at least one target state through the states in 

6 the reachable sets to the at least one initial state. 

1 47. A product according to claim 46, wherein the 

2 instructions cause the computer to produce the complete 

3 trace so that all the events occur along the trace in the 

4 specified sequence. 

1 48. A product according to claim 35, wherein the path 

2 specification comprises a property to be fulfilled by the 

3 at last one target state. 

1 49. A product according to claim 48, wherein the 

2 property comprises a condition that is expected to be 

3 true over all of the reachable states of the system under 

4 study, and wherein the condition is false in the at least 

5 one target state. 
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1 50. A product according to claim 48, wherein the 

2 property comprises a condition representing a desired 

3 behavior of the system under study, such that the 

4 condition is fulfilled in the at least one target state. 

1 51. A product according to claim 48, wherein the 

2 instructions cause the computer to test the property 

3 while computing the successive reachable sets, and to 

4 cease to compute the sets when the intersection is found 

5 to exist . 
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